04 August 2013

PINs and Passwords, Part 1

by Leigh Lundin

Needles…

More often than you might imagine, financial institutions deploy
inadequate security protection, the type of inadequacy where the word
‘woefully’ often finds itself used. I don’t know how much Discover
has beefed up its on-line security since I last owned a card, but its password protection was
weaker than some porn sites (so I’m told, ahem). It took Capital One and
Washington Mutual a while to come up to speed, but my present bank still allows only a ten character password.

If a bank left the keys in their door at night or even left it
unlocked, you could hardly blame the curious– or the
wicked– for coming inside and wandering around. But that’s
happened in the on-line financial world. Institutions lobby for harsh
penalties, but their rantings and ravings are meant to detract attention from their own
failings.

But a third party is involved, you, the customer. What do you have in
your wallet?

From the aspect of a consumer, we can use
the following to protect ourselves. From the standpoint of crime writers, we can use the information below
to plot clues within a story.

… and PINs

Think about your PIN number, ‘PIN’ singular because most
people use one for everything, even their security alarm code. And past behavior suggests people will continue using an easily exposed code even after reading an article like this.

But wait. Doesn't a 4-digit PIN imply guessing one is only a 1-in-10,000 chance?

Not at all. Knowing a little about you (Social Security Number, birth date, etc.) might help hackers, but the PINs and alarm codes of one in four customers can be reduced to sixteen or so numbers.

Does yours begin with 1? Or 19?

The vast majority of PIN numbers begin with 1 or
0. If yours starts with 1, you’ve reduced the possibilities from 10,000
to 1000. If 19, your herd's shrunk to 100.

Do you use the internationally ubiquitous top N° 1 PIN? 1234? Or another of the
popular sequential
variants, 4321, 5678, 6789?

Does your number begin with 19xx, perhaps a date? The possible numbers are now
one hundred, probably a lot less, maybe twenty possibilities if you’re
young and eighty possibilities if you aren’t, but a few more if the number
represents month-and-day (MMDD) or day-and-month (DDMM). Popular dates that go beyond birthdays include George Orwell's literary
1984 and historical years 1492 and 1776.

Take 2486, which has two strikes against it: It not only comprises semi-sequential
even numbers, but it's also a visual pattern, a diamond on a keypad. Other
popular visuals are a square (1397), a cross (2046), an X (1937), and the most popular of all, a
straight line down the middle (2580). Visual patterns produce deceptively random-looking numbers, but statistics demonstrate they offer little security. And let's face it: Security and convenience find themselves at odds with each other.

'heat' map

statistical moiré

PIN-stripes

Using graphing tools and such visuals as 'heat maps', researchers can
determine less than obvious patterns. Some stand out like stars in the
sky while others exhibit a warp and woof of woven fabric revealing
unconscious human subtleties we're unaware of.

People love couplets, paired digits such as 1010, 1212, the
ever-popular 6969, Intel’s 8080, or that Zager and Evans song, 2525.
Even when not using 9898 or 2323, people exhibit a preference for pairs
one numeric step apart such as 2389 (2-3,8-9) or 5478 (5-4,7-8))
instead of 2479 or 5668. Perhaps we still hear childhood chants in our head from when we learned to count.

A few users exhibit a distinct lack of imagination, to wit: 0001. Others look to pop culture for inspiration, especially fans of James Bond (0007 or 0070), Star Trek (1701), or George Lucas (1138). The 1980s hit 867-5309 peaked at #4 on both the Billboard Hot 100 chart and the hottest 7-digit PIN list.

Some people can’t be bothered at all: 0000, 1111, 2222, 9999, etc.
These same overall patterns persist with PINs longer than four digits
although people tend to pick phone numbers when forced to select 7-digits, thus adding artificial randomization to the mix.

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (And as we know, Social Security Numbers contain their own well-known patterns.)

To reemphasize, the greater the number of digits required, the more predictable selections become. Why? Why does the problem worsen with additional digits? As people are forced to use more digits, I hypothesize they react by falling back on easy-to-recall patterns such as sequences. Someone might remember 3791, but they won't easily recall 379114928, and they may reason 123456789 is as difficult as any other number.

PIN-pricks

The bad guys know these things. They don’t need high-speed analysis
engines or intensive code-cracking software. They know the numbers and
work the odds. As often as not, they can hack into an account– or
your house or your medical files or your life– within moments.

Armed with only four possibilities, hackers can crack 20% of all PINs. Allow
them no more than fifteen numbers, and they can tap the accounts of
more than a quarter of card-holders.

PIN-ups

If you
absolutely cannot remember little used numbers and carry a reminder, at
least code the number in some way.• Some take a cue from old-fashioned costing codes that used alphabet substitution for digits: I=1, J=2, K=3, …• Roman numerals might be another idea, e.g, 2009=MMIX.• One handy method
is to subtract your PIN from 9999 and write that down. When you need
your PIN, you simply subtract the code from 9999 again. (For those who
know hexadecimal (base 16: 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F), this geeky
technique is even more effective: Where F is 15, subtract your PIN from FFFF, e.g, 9531=6ACE. I used this method to label keys in an apartment complex: 1422B=EBDD4.)

Your job– you should choose to accept it– is to make breaking
into your account as difficult as possible, not that institutions tell you what you really need to know: Their usual advice is to
cover ATM and store keypads with your hand. Don’t tell anyone your PIN.
Don’t write it on a stick-em and carry it in your billfold.

But you can do a lot more than that: Make your number as difficult to
guess as possible.

PIN-wheel

So what numbers are rarely used? Generally, the higher the first digit,
the less common the password. Of the ten least used PINs, four start
with 8, two with 9, and two with 6. Just don’t blow your efforts with
8888 or 8000, or 9999 or 9000.

Tip: Sure, you want a number you can remember. Toward that
end, I suggest picking an easy four letter word (or a word with the same number of letters as the number of PIN digits) you can remember, say
‘easy’ itself. Look at E-A-S-Y on a telephone keypad and you’ll see the
letters
correspond to 3279, which breaks the most obvious patterns. Reverse the
digits if you like to make the combination harder. If your ATM doesn't show letters, then open your cell phone. See more tips in the box at right.

PIN-points

In the following table*
of the twenty most used numbers, it becomes painfully obvious any
baddie who’s learned only the first four or five most popular numbers
can suck the money out of one in five ATM
accounts. With a crib sheet of these twenty numbers, he can boost his takings
to 27%.

Most Common PIN Numbers

rank

PIN

freq %

1

1234

10.713

2

1111

6.016

3

0000

1.881

4

1212

1.197

5

7777

0.745

6

1004

0.616

7

2000

0.613

8

4444

0.526

9

2222

0.516

10

6969

0.512

11

9999

0.451

12

3333

0.419

13

5555

0.395

14

6666

0.391

15

1122

0.366

16

1313

0.304

17

8888

0.303

18

4321

0.293

19

2001

0.290

20

1010

0.285

Least Common PIN Numbers

rank

PIN

freq %

9981

9047

0.001161

9982

8438

0.001161

9983

0439

0.001161

9984

9539

0.001161

9985

8196

0.001131

9986

7063

0.001131

9987

6093

0.001131

9988

6827

0.001101

9989

7394

0.001101

9990

0859

0.001072

9991

8957

0.001042

9992

9480

0.001042

9993

6793

0.001012

9994

8398

0.000982

9995

0738

0.000982

9996

7637

0.000953

9997

6835

0.000953

9998

9629

0.000953

9999

8093

0.000893

10000

8068

0.000744

* Credit for this table and the heat maps goes
to math mensch and privacy
professional, Nick
Berry.

PIN-out

Now go forth and protect thy accounts. And drop me a line if you use these clues in your own stories.

Anon, as Janice hints at, once banks and businesses knew their customers by sight and reputation. These days, a bank doesn't know its own employees. So as noted above, they seek to make access easy, perhaps to easy since institutions can fall back upon "You didn't keep your card and PIN safe." The best we can do is make it as difficult as possible for others to guess our number.

I always use one number followed by the last name of an old boyfriend from many years ago. He is now deceased & I do not talk about him. This method of keeping a password unguessable, probably isn't recommended, but it works for me!

Fascinating and depressing. A while ago I heard a story on NPR about a guy whose four letter pin on his voice mail was broken and he found himself billed for many thousands of long distance calls he had apparently made from Asia one night. The phone company was not interested in his explanations. At thant point i changed my four letter phone code to a longer one.

I had a friend in high school whose phone number I still remember. The last four digits were 3941. "The year WWII started, and the year we entered," he told me.

Leigh, I'll leave off any mention of my own pin codes and passwords, for obvious reasons.

However, I think you’ve hit on a very nice mechanism for a puzzle mystery here. The idea of trying to “reverse engineer” or perhaps even “reverse psychoanalyze” what a certain person might find to associate with a given-length pin or pass code, assuming that person was incorporating a mnemonic device that would speak to his/her psyche, but not be common knowledge to others, is a fascinating idea.

Anon, any password that doesn't reveal too much should work, particularly if it's further obscured with a number or special character.

Rob, I still remember a couple of phone numbers from the 70s, one a friend who gave me her number, DEN-CURD, and the other a colleague whose acronym sounded a bit naughty, HAD-MARY. Pretty effective mnemonics.

Dixon, I'm presently wracking my brain for a plot where either good guys or bad guys crack the codes. Can you imagine a cashier or waiter who has hundreds of cards pass through their hands, and we know they can one in 4 or 5 with little trouble at all?

This could explain something that happened to me. I left my credit card at a store and by the time I realized it, less than 1 hr later, more than 200 dollars in charges were on it. At the time I wondered how they got my pin number but yeah, I reckon I was using one of your easy to use numbers stead of something harder. Worked out for the crook anyway.

Hey Leigh: I used to have a 6 digit PIN at my big-time bank before they lopped off two and shortened it to 4. What's their philosophy? Codes will be cracked anyway? Or, who cares: We've already thrown away billions of dollars on bad investments? But don't worry, we've got your back. And I accept your challenge. In the next half-year I'll try to come up with a story including your info. Yours truly, Toe.

I can guarantee that they won't be able to crack my passwords for most places - but my PIN number... I'll have to update that. My current one isn't the worst, but it isn't the best, either. Thanks for the tips!